Re: [nsp] Experience with NSE-1 and IOS 12.0S?

From: George Robbins (grr@shandakor.tharsis.com)
Date: Mon Mar 19 2001 - 13:02:28 EST


From what I can see the problem with IP accounting is that the list
of IP address's isn't optimized (hash, tree, etc) so the more entries,
the more CPU used in IP input. You can totally screw yourself if
you specific a large number of entries and get a burst of traffic
for an IP near the end of the list or not in the list at all.

If you're under attack, setting the number of entries to a small
number (25-50 for example) before turning on IP accounting helps
avoid having to wait for the router to crash and reboot...

                                                Geroge

> From cisco-nsp-request@puck.nether.net Mon Mar 19 12:54:48 2001
> Resent-Date: Mon, 19 Mar 2001 12:54:30 -0500
> Received-Date: Mon, 19 Mar 2001 12:50:52 -0500
> Date: Mon, 19 Mar 2001 18:50:45 +0100
> From: Gert Doering <gert@greenie.muc.de>
> To: sthaug@nethelp.no, marcus@ri.st
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [nsp] Experience with NSE-1 and IOS 12.0S?
> References: <20010319141257.B6573@c3po.netplace.de> <3151.985021187@verdi.nethelp.no>
> In-Reply-To: <3151.985021187@verdi.nethelp.no>; from sthaug@nethelp.no on Mon, Mar 19, 2001 at 05:59:47PM +0100
> X-mgetty-docs: http://alpha.greenie.net/mgetty/
> Resent-From: cisco-nsp@puck.nether.net
> X-Mailing-List: <cisco-nsp@puck.nether.net> archive/latest/5742
> X-Loop: cisco-nsp@puck.nether.net
> Precedence: list
> Resent-Sender: cisco-nsp-request@puck.nether.net
>
> Hi,
>
> On Mon, Mar 19, 2001 at 05:59:47PM +0100, sthaug@nethelp.no wrote:
> > > Since Friday i have a new box running. Cisco 7206VXR, NSE-1, I/O-2FE/E
> > > with IOS 12.0(15)S1.
> [..]
> > We're now running the same routers with 12.1(5a)E2, and PXF is working
> > nicely. We're using this box with a lot of ACLs, and the difference in
> > processor load with and without PXF is very significant.
>
> Are you using it with "ip accounting output-packets"? If yes, with what
> results?
>
> This is one of our major headaches right now with the 720x family. Under
> normal conditions, "ip acc out" doesn't place any major strains on the
> CPU, but if "friendly people" start hitting you with a burst of "spray"
> packets, like:
>
> 90.000 packets with <random source IP> --> fixed destination IP
>
> (different source IPs for each packet - obviously meant to be a DoS
> attack...) or:
>
> 100.000 packets with fixed source IP -> scanning a full class A network
>
> (a network scanner running wild)
>
> *really* bad things happen. About 3-5 Mbit/s. of those packets, each one
> of them resulting in a new entry in the "show ip accounting" list, *kills*
> a 7206 with NPE-300 - the CPU goes up to 95% IRQ load, the router stops
> responding to ping or telnet packets, after a while its neighbours drop
> its BGP and EIGRP sessions ("hold time exceeded"), and then goodbye to
> your network.
>
> A 7507 with RSP4 seems to handle this kind of traffic nicely (without
> any fancy distributed anything, just doing all of it with the main CPU),
> so I suspect a bug in the 720x design or implementation...
>
> gert
>
> --
> USENET is *not* the non-clickable part of WWW!
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany gert@greenie.muc.de
> fax: +49-89-35655025 gert.doering@physik.tu-muenchen.de
>
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:32 EDT